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SUMMARY   OF   RECOMMENDATIONS 


As  a  separate  section  in  the  front  of  each  audit  report  we  include 
a  listing  of  all  recommendations  together  with  a  notation  as  to 
whether  the  agency  concurs  or  does  not  concur  with  each  recommen- 
dation. This  listing  serves  as  a  means  of  summarizing  the  recom- 
mendations contained  in  the  report  and  the  audited  agency's  reply 
thereto  and  also  as  a  ready  reference  to  the  supporting  comments. 
The  full  reply  of  the  Department  of  Revenue  (DofR)  is  included 
beginning  on   page  31. 


Recommendation  #1 
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The  department  limit  access  to  data  files 

and   programs  to  only  those  users   requiring 

access  to  perform  their  duties.  10 

Agency   Reply:      Concur.      See  page  32. 

Recommendation   #2 
The  department: 

A.  Establish  a  policy   preventing   the  use 

of  easily-guessed   passwords.  11 

Agency   Reply:      Concur.      See  page  32. 

B.  Periodically  test  for  easily-guessed 

passwords.  11 

Agency   Reply:      Concur.      See  page  32. 

Recommendation   #3 

The  department  discontinue  use  of  shared 

LOGONIDs.  12 

Agency   Reply:      Concur.      See  page  32. 

Recommendation   #4 

The  department  establish   formal   policy 

defining   the   responsibilities  for  data 

processing   security.  12 

Agency   Reply:      Concur.      See  page  32. 
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The  department  establish  a   post-implementa- 
tion  review  of  the  application  development 
process  14 

Agency   Reply:      Concur.      See  page  32. 

Recommendation   #6 

The  department  adopt  formal   procedures   for 

documentation  and   testing  of  maintenance 

projects.  15 

Agency   Reply:      Concur.      See  page  33. 

Recommendation   #7 
The  department: 

A.  Document  the  reason   for  deviations 
from  written  application  development 

procedures.  16 

Agency   Reply:      Concur.      See  page  33. 

B.  Define  the  procedures  to  be  followed 
when  deviation  from  written  develop- 
ment procedures   is  desirable.  17 

Agency   Reply:      Concur.      See  page  33. 

Recommendation   #8 
The  department: 

A.  Include  all  costs  and  benefits  in 

cost  benefit  analyses.  18 

Agency   Reply:      Concur.      See  page  33. 

B.  Use  present  value  techniques  to  con- 
vert net  costs  or  benefits  into  present 

dollar  values.  18 

Agency    Reply:      Concur.      See  page  33. 
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Page 
Recommendation   #9 
The  department: 

A.  Complete  application   documentation  as 

the  system  is  being  developed.  18 

Agency   Reply:      Concur.      See  page  33, 

B.  Ensure  documentation   is  complete  before 

applications  are   implemented.  18 

Agency   Reply:      Concur.      See  page  33. 

Recommendation   #10 

The  department  include  in   periodic  status 
reports: 

A.  The  overall   status  of  projects.  20 
Agency   Reply:      Concur.      See  page  34. 

B.  The  status  of  projects  pending  develop- 
ment and   projects  for  which  development 

has  been  temporarily   stopped.  20 

Agency   Reply:      Concur.      See  page  34. 

Recommendation   #11 

The  department  develop  a  disaster   recovery 
plan   for  critical   data  processing  applica- 
tions. 25 

Agency   Reply:      Concur.      See  page  34, 

Recommendation   #12 

The  department  arrange  for  off-site  storage 

of  data   processing   backup  files.  26 

Agency   Reply:      Concur.      See  page  34. 

Recommendation  #13 

The  department,   when  cost  beneficial,   allow 
research  and   information  division   program- 
ming of  microcomputer  applications.  28 

Agency   Reply:      Concur.      See  page  34. 
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Recommendation  #14 

The  department  adopt  a   policy  on  authorized 

use  of  microcomputer  equipment.  28 

Agency   Reply:      Concur.      See  page  34. 

Recommendation  #15 

The  department  adopt  a  policy  on  security 

of  information   stored  on  microcomputers.  29 

Agency   Reply:      Concur.      See  page  34. 


CHAPTER    I 

INTRODUCTION 

During  late  1982,  the  Office  of  the  Legislative  Auditor  con- 
ducted a  survey  of  state  data  processing  activities.  One  of  the 
potential  electronic  data  processing  (EDP)  audit  areas  identified  in 
the  survey  was  overall  data  processing  activities  of  larger  state 
agencies.  The  Legislative  Audit  Committee  requested  audits  of 
larger  users  of  data  processing  within  state  government.  This 
report  results  from  the  EDP  audit  of  the  Department  of  Revenue. 

OBJECTIVES  OF  AUDIT 

The  objectives  of  the  EDP  audit  of  the  Department  of  Revenue 
were: 

1  .        To     evaluate     the     adequacy     of     security     controls     over 
access  to  department  data  and   program  files. 

2.  To    evaluate    the   adequacy    of  department    preparation    for 
disaster   recovery. 

3.  To   evaluate   the   adequacy   of  procedures    for   development 
and  maintenance  of  data   processing  applications. 

4.  To    evaluate     the     reasonableness    of    department     use    of 
current  computer  technology. 

5.  To   evaluate   the   adequacy   of  department   policies   control- 
ling  microcomputer  use. 

6.  To    evaluate     the     reasonableness    of    department     use    of 
computer  file  matching. 

7.  To     evaluate     the     reasonableness     of     utilization     of     the 
department's   IBM  8130  minicomputer. 


SCOPE  OF  AUDIT 

During  the  EDP  audit  we  interviewed  Department  of  Revenue 
personnel,  and  reviewed  documentation  of  data  processing  activ- 
ities. The  audit  was  conducted  in  accordance  with  generally 
accepted     governmental     performance    auditing     standards.       During 


the  audit  we  informed  Department  of  Revenue  management  of 
potential  report  issues  and  recommendations  for  improvement. 
Department  management  provided  written  responses  to  potential 
report  issues  and   recommendations  during   the  audit, 

COMPLIANCE 

During  the  audit,  we  reviewed  compliance  with  rules  and 
regulations  relating  to  data  processing  activities  at  the  Department 
of  Revenue.  We  noted  no  instances  of  non-compliance  with  appli- 
cable  rules  or   regulations. 

For  those  rules  and  regulations  not  related  to  data  processing 
activities  at  the  department,  and  therefore  not  tested  for  compli- 
ance,   nothing  came  to  our  attention   that  indicated   non-compliance. 

MANAGEMENT  MEMORANDA 

As  a  result  of  the  preliminary  survey,  we  sent  a  management 
memorandum  to  Department  of  Revenue  officials  regarding  game 
programs  stored  on  the  computer.  The  existence  of  these  pro- 
grams could  lead  to  unauthorized  use  of  data  processing  resources. 
As  a  result  of  our  memorandum,  the  game  programs  were  removed 
from  the  system. 

The  audit  identified  additional  issues  for  which  management 
memoranda  were  sent.      These  issues  include: 

1 .  Performing     and     documenting     background     checks     when 
hiring  data   processing   professionals. 

2.  The  length  of  time  between   required   password  changes. 

3.  Using    time    budgets    to   monitor   system   development   proj- 
ect status. 

RECOMMENDATION    FOR   FUTURE  AUDIT 

The  audit  findings  discussed  in  Chapter  III  of  this  report 
relate  to  control  over  access  to  data  and  program  files.  The 
control   weaknesses  discussed   in   this  chapter  are   not  unique   to  the 


Department  of  Revenue.  Similar  findings  have  been  identified  in 
audits  of  other  agencies.  Because  of  the  importance  of  control 
over   access   to   computer   systems   we    recommend    that   an    EDP   audit 

»j  be  performed  on   security  over  the  state's  central   computer  system. 
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CHAPTER    II 
BACKGROUND 


ORGANIZATION 


The  Department  of  Revenue  is  organized  into  nine  divisions. 
The  Natural  Resources  and  Corporation  Tax,  Income  Tax,  Miscella- 
neous Tax,  and  Motor  Fuels  Tax  Divisions  report  to  the  Deputy 
Director  for  Operations.  The  Research  and  Information,  Legal  and 
Enforcement,  and  Centralized  Services  Divisions  report  to  the 
Deputy  Director  for  Support  Services.  Liquor  Division  and  Prop- 
erty Assessment  Division  report  directly  to  the  Director  of  the 
Department  of  Revenue. 


DEPARTMENT  OF  REVENUE 


ORGANIZATIONAL  CHART 
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Source:   Administrative  Rules  of  Montana 

The  primary  organizational  entity  responsible  for  Department 
of  Revenue  data  processing  is  the  Research  and  Information  Divi- 
sion. The  Research  and  Information  Division  is  organized  into 
three  bureaus:  Research  Bureau,  Operations  Bureau,  and  Systems 
Development  Bureau.  The  Research  Bureau  performs  economic  and 
statistical  analyses   for  the  department.      Data   processing   within   the 


Research  Bureau  is  limited  to  the  use  of  report  writing  and  statis- 
tical applications.  Because  of  the  limited  data  processing  activity, 
the  Research   Bureau  was  excluded  from  the  audit. 

The  Operations  Bureau  operates  the  department's  two  IBM 
System  8100  minicomputers.  Minicomputer  refers  to  a  wide  range 
of  computers  that  are  slower  at  processing,  and  generally  have 
smaller  storage  capacity  than  a  mainframe  such  as  the  IBM  3033 
processor  at  the  Department  of  Administration  computer  center. 
Minicomputers  are  faster  and  have  more  storage  than  microcomputers, 
Minicomputers  also  have  the  facility  to  process  several  data  pro- 
cessing applications  simultaneously.  Microcomputers  generally 
refer  to  single  user   "desk   top"  or  "personal"  computers. 

One  of  the  minicomputers  is  used  for  word  processing  and  the 
other  is  used  for  "data  processing."  The  data  processing  system 
is  used  to  submit  data  processing  jobs  and  to  retrieve  completed 
reports  for  printing  from  the  state's  IBM  3033  mainframe.  In 
addition  to  operating  the  minicomputers,  the  Operations  Bureau 
prepares  jobs  for  processing,  performs  data  entry  and  provides 
technical  support  to  other  bureaus  and  divisions  within  the  depart- 
ment. 

The  Systems  Development  Bureau  (SDB)  develops  and  main- 
tains computer  applications  for  the  Liquor  Division,  Centralized 
Services  Division,   and  the   Income  Tax   Division. 

Data  processing  activities  are  also  performed  outside  of  the 
Research  and  Information  Division.  Property  Assessment  Division 
employees  prepare  and  submit  data  processing  jobs,  and  retrieve 
output  for  their  division.  The  Property  Assessment  Division  also 
has  one  programmer/analyst  to  develop  and  maintain  data  process- 
ing applications  for  the  division.  A  Business  Tax  Unit  performs 
application  development  and  maintenance  for  the  Natural  Resource 
and  Corporation  Tax  Division,  Miscellaneous  Tax  Division,  and  the 
Motor  Fuel  Tax  Division.  Other  employees  within  the  Department 
of  Revenue  perform  limited  data  processing  duties,  but  are  not 
classified  as  data   processing   personnel. 


In  fiscal  years  1983-84  and  1984-85  the  Research  and  Informa- 
tion Division  was  authorized  53,5  full-time  equivalent  employees 
(FTE).  Eight  FTE  are  assigned  to  research  or  administrative 
positions.  The  remaining  45.5  FTE  perform  full-time  support  for 
data  processing  activities.  Below  is  a  schedule  of  authorized  data 
processing   positions  by  function. 

nEPARTMENT  OF  REVENUE 

DATA  PROCESSING  POSITIONS 

Function  FTE 

Management  3.0, 

Application  Development  12.0 
Operations  ^'^o 

Data  Entry  32.0 

Total  52.5 

Does  not  include  one  position  reclassified  to  programmer/analyst 
which  was  vacant  at  the  time  of  our  audit. 

2 
Includes  7  FTE  for  part-time  data  entry  positions  assigned  to  the 

Property  Assessment  Division. 


FUNDING 

During  fiscal  year  1983-84,  costs  for  data  processing  services 
excluding  computer  processing  charges  from  the  Department  of 
Administration,  Information  Services  Division,  were  recorded  by 
the  Research  and  Information  Division.  Funding  of  the  Research 
and  Information  Division  was  75  percent  from  the  General  Fund  and 
25  percent  from  the  Liquor  Enterprise  Fund.  Computer  processing 
charges  were  also  recorded  by  the  divisions  using  the  data  process- 
ing applications.  The  Department  of  Revenue  reported  data  process- 
ing expenditures  as  follows: 


DEPARTMENT  OF  REVENUE 

DATA  PROCESSING  EXPENDITURES 

FISCAL  YEAR  1983-84 

(UNAUDITED) 

Personal  Services  $   839,782 

Computer  Processing  642,798 

Equipment  28,720 

Software  33,354 

Data  Processing  Supplies  10,777 

Data  Processing  Communications  18,999 

Total  $1,574,430 


The  total  reported  by  the  Department  of  Revenue  also  included 
$33,354  shown  separately  as  software  costs.   This  figure  has  been 
adjusted  to  show  the  correct  amount. 

Source:   Department  of  Revenue  Long-Range  Data  Processing  Plan 


The  costs  reported  above  include  only  salaries  of  personnel 
classified  in  the  data  processing  positions.  Administrative  person- 
nel and  personnel  performing  data  processing  functions,  but  not 
classified  in  a  data  processing  position,  are  excluded.  The  above 
costs  also  do  not  include  items  such  as  office  supplies,  telephone 
charges,  etc.  which  are  used  in  support  of  data  processing  activ- 
ities. 

LONG-RANGE   DATA   PROCESSING   PLAN 

In  fiscal  year  1984-85,  the  Department  of  Revenue  completed  a 
long-range  data  processing  plan  for  the  1987  Biennium.  The 
Department  of  Revenue  plan,  along  with  plans  from  other  depart- 
ments,   has  been   combined   into  a  statewide   long-range  plan. 

The  Department  of  Revenue's  long-range  data  processing  plan 
outlines  data  processing  goals  for  the  next  biennium  and  strategies 
for  achieving  those  goals.  The  plan  also  presents  data  processing 
accomplishments  of  the  department  over  the  past  two  years,  data 
processing    expenditures    for    fiscal    years    1982-83    and    1983-84    and 


projected     data    processing    expenditures     for     fiscal    years     1984-85 
through   1986-87. 

We  reviewed  past  accomplishments  and  expenditures  in  the 
plan.  We  determined  that  past  accomplishments  and  past  expendi- 
tures reported  in  the  plan  are  reasonably  presented.  Because  the 
final  plan  was  not  completed  prior  to  completion  of  the  EDP  audit, 
we  did  not  evaluate  the   reasonableness  of  the  long-range  plan. 


CHAPTER   III 
ACCESS   CONTROLS 

The  Department  of  Revenue  collects  and  processes  a  large 
amount  of  data.  Much  of  the  data  collected  is  confidential  by 
statute  and  must  be  protected  from  unauthorized  disclosure.  In 
addition,  the  application  programs  themselves  must  be  protected 
from  accidental  or   intentional   destruction  or  alteration. 

A  primary  method  for  controlling  access  to  the  state's  computer 
system,  computer  programs,  and  data  files  is  the  access  control 
program  ACF2.  Authorized  users  of  the  state's  computer  system 
are  identified  using  ACF2.  The  departments  can  then  write  rules 
defining  which  users  have  access  to  program  libraries  and  data 
files  "owned"  by  the  departments.  Using  ACF2  the  level  of  access 
can  also  be  limited.  Users  may  be  given  access  to  read  a  file  or 
execute  a  program,  but  not  access  to  write  or  modify  a  file  or 
program. 

In  our  examination,  we  identified  several  areas  where  controls 
over  access  to  the  computer  system,  data  files,  or  computer  pro- 
grams could  be  improved. 

DATA  AND   PROGRAM   FILE  ACCESS 

Access  to  data  files  and  computer  programs  should  be  limited 
to  users  requiring  access  to  perform  their  duties.  We  examined 
access  controls  protecting  Department  of  Revenue  data  and  pro- 
gram files.      We  noted   several  areas  where  access  was  excessive. 

Current  access  controls  allow  all  members  of  the  database 
support  section  of  the  Department  of  Administration  Systems  Devel- 
opment Bureau  to  read  and  alter  most  income  tax  and  corporation 
tax  files.  Some  access  by  database  support  section  personnel  is 
necessary  to  support  the  development  and  maintenance  of  database 
applications.  Not  all  members  of  the  database  support  section  need 
access  to  Department  of  Revenue  files.  In  addition,  those  data- 
base support  personnel  needing  access  to  department  files  do  not 
need  access  to  all   income  and  corporation   tax  files. 


We  also  determined  that  Department  of  Revenue  application 
development  personnel  have  unrestricted  access  to  computer  pro- 
grams and  data  files  for  applications  they  support.  Once  develop- 
ment is  completed,  application  development  personnel  should  have 
only  limited  access  to  computer  programs  and  data  files.  Some 
access  will  be  required  in  order  for  development  personnel  to 
perform  emergency  repairs  to  applications.  At  a  minimum,  such 
access  should  be  logged  and  reviewed  to  ensure  against  unauthor- 
ized alterations  to  programs  or  data  files. 

During  our  preliminary  survey  of  data  processing  activities, 
we  determined  that  no  protection  was  provided  over  program 
libraries  belonging  to  individual  users.  We  reviewed  the  contents 
of  these  libraries.  One  contained  a  password  that  provides  access 
to  Department  of  Revenue  records  on  the  Payroll,  Personnel, 
Position  Control  (PPP)  Database,  The  PPP  database  contains 
confidential  personnel  information.  We  informed  the  Department  of 
Revenue  that  user  libraries  were  not  protected.  The  department 
has  since  restricted  access  to  user  libraries, 

RECOMMENDATION   #1 

WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE  LIMIT 
ACCESS  TO  DATA  FILES  AND  PROGRAMS  TO  ONLY  THOSE 
USERS   REQUIRING   ACCESS   TO    PERFORM   THEIR   DUTIES, 


SYSTEM  ACCESS 

To  obtain  access  to  the  state's  computer  system,  users  must 
first  identify  themselves  to  the  system  using  an  identification 
number  (LOGON  ID),  and  provide  a  password.  We  identified  two 
ways  the  Department  of  Revenue  could   better  control   user  access. 

Trivial   Passwords 

We  tested  a  sample  of  Department  of  Revenue  employee  LOGON  IDs 
for   the   use   of   trivial,    easy-to-guess    passwords.      We    successfully 
guessed   passwords   for  one-third   of  the   LOGON  IDs   tested   in   three 
attempts  or   less.      Using   these   LOGONIDs,    we  could    have   accessed 
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several   of  the  department  data   files   including   access  to  confidential 
income  tax  files. 

To  ensure  trivial,  easy-to-guess  passwords  are  not  used  by 
Department  of  Revenue  employees,  the  department  should  establish 
a  policy  against  the  use  of  easily-guessed  passwords,  and  period- 
ically test  for  the  use  of  easily-guessed  passwords. 

RECOMMENDATION   #2 

WE   RECOMMEND   THE   DEPARTMENT   OF   REVENUE: 

A.  ESTABLISH   A   POLICY    PREVENTING   THE   USE  OF   EASILY- 
GUESSED   PASSWORDS. 

B.  PERIODICALLY       TEST       FOR      EASILY-GUESSED       PASS- 
WORDS. 


Shared   LOGON  ID   Identification   Numbers 

During  our  examination  we  determined  that  several  LOGONIDs 
were  being  shared  among  groups  of  users.  As  an  example,  one  ID 
was  assigned  to  "Revenue  ITD"  and  was  used  by  several  employees 
of  the  Income  Tax  Division.  When  LOGONIDs  are  shared,  the 
password  associated  with  the  ID  must  also  be  shared.  Sharing 
passwords  increases  the  chances  that  the  password  will  be  dis- 
closed to  someone  other  than  an  authorized  user.  When  the  pass- 
word for  a  shared  ID  is  changed,  the  new  password  must  be 
communicated  to  all  persons  using  the  ID.  Because  of  the  difficulty 
in  notifying  all  users,  passwords  may  not  be  changed  as  often  as 
necessary,   or  simple,   easy-to-guess  passwords  may  be  used. 

Access  to  data  and  program  files  are  related  to  the  duties  of 
the  user.  An  unauthorized  person  accessing  the  system  would 
have  the  same  program  and  data  file  access  allowed  the  owner  of 
the  LOGONID.  To  reduce  the  exposure  of  unauthorized  access  to 
the  state's  computer  system  the  Department  of  Revenue  should 
discontinue  use  of  shared   LOGONIDs. 
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RECOMMENDATION   #3 

WE     RECOMMEND    THE    DEPARTMENT    OF     REVENUE     DISCON- 
TINUE USE  OF  SHARED   LOGONIDs. 


Department  Security   Policy 

Currently,  the  Department  of  Revenue  has  no  formal  policies 
on  data  security.  To  ensure  adequate  protection  over  access  to 
department  data  files,  responsibility  for  protection  should  be 
formally  defined  in  department  policy.  An  "owner"  should  be 
established  for  all  data  files.  The  "owner"  should  be  responsible 
for  defining  who  should  be  allowed  access  to  the  data  files.  The 
person  responsible  for  data  security  should  then  provide  the  level 
of  security   requested  by  the  owner. 

RECOMMENDATION   #'< 

WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE  ESTABLISH 
FORMAL  POLICY  DEFINING  THE  RESPONSIBILITIES  FOR 
DATA   PROCESSING   SECURITY. 
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CHAPTER    IV 
APPLICATION    DEVELOPMENT   AND  MAINTENANCE 

In  1982,  the  Department  of  Revenue,  Research  and  information 
Division,  revised  its  development  process  for  computer  applica- 
tions. At  the  time  of  our  examination,  no  development  projects 
were  completed  following  the  revised  procedures.  Consequently, 
we  were  unable  to  evaluate  the  adequacy  of  all  phases  of  the 
development  process  or  predict  the  quality  of  future  systems. 

Employees  of  the  Business  Tax  Unit  indicated  that  Research 
and  Information  Division  development  procedures  will  be  followed 
for  development  projects.  Property  Assessment  Division  employees 
indicated  that  development  will  follow  the  more  detailed  procedures 
of  the  Department  of  Administration  Systems  Development  Bureau. 
In  this  chapter,  we  discuss  our  findings  related  to  the  adequacy 
of  application  development  and  maintenance  procedures,  compliance 
with  established   procedures,   and   project  control. 

APPLICATION   DEVELOPMENT   AND  MAINTENANCE   PROCEDURES 

We  examined  application  development  and  maintenance  proce- 
dures for  the  Research  and  Information  Division  as  documented  in 
the  division  policy  and  procedures  manual.  We  identified  two  areas 
where  application  development  and  maintenance  procedures  could  be 
improved.  These  areas  relate  to  post-implementation  review  and 
application  maintenance  procedures. 

Post-Implementation   Review 

Department  procedures  do  not  provide  for  a  post-implementa- 
tion review  of  the  application  development  process.  A  post-imple- 
mentation review  should  be  performed  to  obtain  feedback  on  where 
the  application  development  process  was  successful,  and  where  the 
process  needs   improvement. 


13 


In    performing    a    post-implementation    review,    the    department 
should  analyze: 

1 .  Whether  development  and  implementation  progressed 
according   to  plan. 

2.  Whether  original  cost  benefit  projections  were  accurate, 
and  whether  the  application  is  cost  beneficial  as  imple- 
mented. 

3.  Whether  application   security   is  adequate. 

4.  Whether  the  application  meets  user  needs,  or  if  addition- 
al  revisions   should   be  made  to  the  application. 

5.  Whether  application  documentation  is  complete  and  ade- 
quate. 

A  post-implementation  review  should  be  performed  after  an  applica- 
tion has  been  operational  for  at  least  six  months.  Generally  within 
six  months,  users  are  familiar  with  the  application  and  minor 
post-implementation  corrections  have  been  completed.  After  six 
months,  sufficient  information  should  exist  to  perform  a  review  of 
the  actual  costs  and   benefits  of  the  application. 

RECOMMENDATION   #5 

WE  RECOMMEND  THAT  THE  DEPARTMENT  OF  REVENUE 
ESTABLISH  A  POST-IMPLEMENTATION  REVIEW  OF  THE 
APPLICATION    DEVELOPMENT    PROCESS. 


Maintenance  Procedures 

The  Research  and  Information  Division  policy  and  procedures 
manual  provides  detailed  procedures  for  application  development, 
but  discussion  of  systems  maintenance  procedures  is  limited. 
System  maintenance  is  an  important  activity.  Studies  indicate  that 
up  to  80  percent  of  the  total  cost  over  the  lifetime  of  an  applica- 
tion is  spent  on  maintenance.  Time  records  maintained  by  the 
Research  and  Information  Division  for  the  period  of  January  through 
August  1984  indicate  that  over  7,000  hours  were  spent  on  applica- 
tion maintenance  and  enhancement. 
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There  are  two  significant  potential  problems  whenever  applica- 
tion maintenance  is  performed.  The  first  is  that  changes  to  one 
portion  of  an  application  may  cause  unexpected  results  elsewhere. 
The  second  is  that  application  documentation  will  not  be  properly 
updated.  Failure  to  properly  update  application  documentation  can 
hinder  both  future  maintenance  changes  and  problem  resolution  if 
unexpected   results  occur  following  application  changes. 

Current  maintenance  procedures  at  the  Department  of  Revenue 
are  limited  to  service  requests  and  establishing  priority  for  mainte- 
nance projects.  Procedures  do  not  discuss  the  testing  or  documen- 
tation of  maintenance  changes.  The  department  should  adopt 
formal   maintenance  procedures  to  ensure: 

1.  Program    documentation     is     updated     for    all     maintenance 
changes,   and 

2.  Maintenance  changes  are  tested   prior  to  implementation. 

RECOMMENDATION   #6 

WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE  ADOPT 
FORMAL  PROCEDURES  FOR  DOCUMENTATION  AND  TESTING 
OF  MAINTENANCE   PROJECTS. 


COMPLIANCE  WITH   SYSTEM  DEVELOPMENT    PROCEDURES 

We  examined  documentation  for  three  development  projects  in 
progress  in  fiscal  year  1983-81  to  determine  compliance  with  appli- 
cation development  procedures.  Projects  reviewed  included  the 
Liquor  Inventory  Management  System  (LIMS),  the  income  tax 
Statistical  Analysis  Audit  Criteria  system  (SAAC),  and  the  With- 
holding  Tax  On-line  System. 

The  Department  of  Revenue  uses  a  four-phase  approach  to 
application  development.  The  first  phase,  project  definition,  is 
used  to  define  the  scope  of  a  development  project.  In  the  second 
phase,  functional  design,  a  general  design  is  prepared  for  the 
proposed  application.  Users  can  then  confirm  that  the  application 
will    meet    their    needs.       In    the    third    phase,     procedural    design. 
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development  personnel  prepare  detailed  specifications  of  the  appli- 
cation, in  the  fourth  phase,  system  construction,  development 
personnel  code,   test,   and   install   the  new  application. 

Two  of  the  three  applications  reviewed  were  still  in  the 
development  process.  At  the  time  of  our  review,  the  Liquor 
Inventory  Management  System  was  in  the  functional  design  phase 
of  development  (phase  two).  The  SAAC  project  was  also  in  phase 
two;  however,  development  has  been  halted  due  to  rearrangement 
of  department  priorities.  The  third  application,  the  Withholding 
On-line  System,  was  a  major  enhancement  project  that  had  been 
completed  at  the  time  of  our  review. 

We  determined  that  phases  completed  for  the  SAAC  system 
and  the  LIMS  system  adequately  complied  with  the  procedures  and 
policy  manual.  The  Withholding  On-line  System,  however,  deviated 
substantially  from  documented  application  development  procedures. 
Application  development  personnel  explained  that  deviations  from 
documented  development  procedures  resulted  because  the  system 
was  a  test  project. 

Documentation  for  the  Withholding  project  does  not  discuss 
the  reasons  for  departure  from  development  procedures,  and  does 
not  document  procedures  that  were  to  be  used   for  the  project. 

It  is  important  to  document  application  development  proce- 
dures to  ensure  each  member  of  the  development  team,  including 
application  development  management  and  users,  is  aware  of  respon- 
sibilities. Documentation  of  development  procedures  should  pre- 
vent misunderstandings  as  the  project  progresses,  and  ensure  the 
project  is  completed  as  intended.  Compliance  with  documented 
development  procedures  will  not  be  appropriate  for  all  development 
projects.  When  deviation  from  documented  procedures  is  neces- 
sary, the  reason  for  the  deviation  and  the  procedures  to  be  fol- 
lowed  should  be  documented. 

RECOMMENDATION   #7 

WE   RECOMMEND   THE   DEPARTMENT   OF   REVENUE: 
A.       DOCUMENT   THE   REASON    FOR   DEVIATIONS    FROM  WRITTEN 
APPLICATION    DEVELOPMENT   PROCEDURES. 
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B.  DEFINE  THE  PROCEDURES  TO  BE  FOLLOWED  WHEN 
DEVIATION  FROM  WRITTEN  DEVELOPMENT  PROCE- 
DURES   IS   DESIRABLE. 


COST    BENEFIT   ANALYSES 

Phase  one  of  the  application  development  process,  the  project 
definition  phase,  requires  a  cost  benefit  analysis  of  development 
alternatives.  We  evaluated  cost  benefit  analyses  performed  for  the 
SAAC  application  and  the  Liquor   Point  of  Sale   (POS)   application. 

The  cost  benefit  analysis  performed  for  the  SAAC  application 
did  not  include  all  costs  associated  with  the  development  of  the 
application.  Development  personnel  costs  were  excluded.  All 
costs  and  all  benefits  for  alternatives  should  be  included  to  pre- 
sent the  total  projected  cost  and  benefit  of  the  proposed  applica- 
tion. 

The  cost  benefit  analysis  performed  for  the  Liquor  Point  of 
Sale  application  compared  costs  and  benefits  of  the  two  primary 
alternatives.  Information  included  in  the  analysis  was  well  sup- 
ported in  accompanying  documentations.  We  identified  two  areas 
for   improvement  of  the   POS  cost  benefit  analysis. 

The  POS  cost  benefit  analysis,  like  the  SAAC  analysis,  did 
not  include  all  personnel  costs.  Only  the  additional  personnel 
necessary  to  develop  and  maintain  the  application  were  included. 
The  analysis  also  did  not  include  all  computer  production  costs  and 
supplies  for  the  application.  Only  additional  production  costs  and 
supplies  were  included. 

The  POS  analysis  converted  the  annual  net  savings  into  a 
cumulative  savings  at  fiscal  year-end  1994.  A  more  appropriate 
technique  would  be  to  convert  annual  net  savings  to  a  present 
value,  either  at  initiation  of  development  or  implementation  of  the 
application . 

The  Department  of  Revenue  analysis  indicated  a  cumulative 
benefit  of  $1,832,636  through  fiscal  year  1994.  Using  present 
value  analysis  and  the  12  percent  interest  rate  used  in  the  Depart- 
ment     of      Revenue      analysis,      we     estimate     development     of     the 
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application  had  a  net  benefit  (tiie  application  benefits  less  the  cost 
of  application  development  and  operation)  to  the  state  of  $470,500 
in   1983,   when   the  project  was   initiated. 

RECOMMENDATION   #8 

WE   RECOMMEND   THE   DEPARTMENT   OF   REVENUE: 

A.  INCLUDE  ALL  COSTS   AND    BENEFITS    IN    COST    BENEFIT 
ANALYSES. 

B.  USE    PRESENT    VALUE    TECHNIQUES    TO    CONVERT    NET 
COSTS  OR   BENEFITS   INTO   PRESENT   DOLLAR  VALUES. 


SYSTEM   DOCUMENTATION 

During  our  examination  of  system  documentation,  we  identified 
two  systems  with  incomplete  documentation:  the  Corporate  Tax 
System  and  the  Withholding  On-line  System.  Documentation  is  an 
important  part  of  the  application  development  process.  Incomplete 
or  inadequate  documentation  hinders  the  maintenance  of  application 
and  may  cause  excessive  costs  in  application  maintenance.  Docu- 
mentation of  computer  applications  should  be  completed  as  the 
applications  are  developed.  If  applications  are  implemented  before 
the  documentation  is  completed,  the  development  personnel  are 
often  assigned  to  other  projects,  preventing  the  completion  of 
documentation. 

RECOMMENDATION   #9 

WE   RECOMMEND   THE   DEPARTMENT   OF   REVENUE: 

A.  COMPLETE      APPLICATION      DOCUMENTATION      AS      THE 
SYSTEM    IS   BEING   DEVELOPED. 

B.  ENSURE     DOCUMENTATION     IS     COMPLETE     BEFORE    AP- 
PLICATIONS  ARE    IMPLEMENTED. 


PROJECT   CONTROL 

Success  of  an  application  development  project  can  be  defined 
as  providing  the  application  that  the  user  requested  within  the 
time     frame    and    costs    agreed     upon.       In     order    to    evaluate    the 


success  of  the  development  process,  accurate  and  timely  informa- 
tion must  be  maintained  relating  to  the  scope  of  the  application 
being  developed,  deadlines  for  completion  of  project  phases,  and 
the  estimated  cost  of  the  project.  It  is  also  essential  that  applica- 
tion development  management  and  the  user  be  informed  of  the 
progress  of  the  development  process.  We  examined  project  control 
procedures  and  identified  areas  where  procedures  could  be  im- 
proved. 

Project  Status   Reports 

Currently,  each  project  development  unit  prepares  a  biweekly 
status  report.  The  status  report  identifies  the  amount  of  time 
spent  by  category.  The  report  also  provides  a  brief  discussion  of 
the  status  of  projects  worked  on  during  the  period.  For  each 
project,  the  status  report  includes  a  deadline  for  completion  (the 
date  completed  for  projects  completed)  and  a  discussion  of  work 
planned   for  the  next  two-week   period. 

We  determined  that  project  status  reports  are  adequate  for 
maintenance  projects.  Because  of  their  priority  and  short  dura- 
tion, maintenance  projects  are  usually  completed  during  the  two- 
week  period  they  were  requested,  or  during  the  following  two- 
week   period. 

Project  status  reports  were  not  as  informative  for  development 
projects.  Project  status  reports  only  discuss  projects  currently  in 
progress.  If  a  project  is  discontinued,  the  status  of  the  project  is 
not  discussed  until  development  is  again  started.  Current  status 
reports  do  not  report  development  projects  which  have  been  re- 
quested but  are  still  pending  development.  Such  information  may 
not  be  necessary  on  a  biweekly  basis;  however,  the  department 
should  periodically  report  the  status  of  all  projects  either  pending 
development  or  on   hold. 

Current  project  status  reports  only  report  on  the  progress 
for  the  two-week  period  completed  and  planned  progress  for  the 
following  two  weeks.  Status  reports  do  not  indicate  the  overall 
status     of    a     development     project.       Overall     progress     should     be 
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reported  on   the  overall   status   report  to   indicate   the  status  of  each 
development  project. 

RECOMMENDATION  #10 

WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE  INCLUDE  IN 

PERIODIC  STATUS  REPORTS: 

A.  THE  OVERALL  STATUS  OF  PROJECTS;  AND 

B.  THE  STATUS  OF  PROJECTS  PENDING  DEVELOPMENT, 
AND  PROJECTS  FOR  WHICH  DEVELOPMENT  HAS  BEEN 
TEMPORARILY  STOPPED. 


I 
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CHAPTER  V 
APPLICATION   DEVELOPMENT   ORGANIZATION 

During  the  audit  of  data  processing  activities  at  the  Depart- 
ment of  Revenue,  we  reviewed  the  organization  of  application 
development. 

Prior  to  September  1983,  application  development  was  central- 
ized within  the  Systems  Development  Bureau  of  the  Research  and 
Information  Division.  In  September  1983,  the  department  reorgan- 
ized the  application  development  function.  A  systems  analyst  and 
two  programmer  analysts  were  assigned  to  a  Business  Tax  Unit. 
The  Business  Tax  Unit  reports  to  the  deputy  director  for  Opera- 
tions and  performs  application  development  and  maintenance  for 
National  Resource  and  Corporation  Tax  Division,  Miscellaneous  Tax 
Division,   and  Motor   Fuel   Tax  Division. 

One  programmer/analyst  was  assigned  to  the  Property  Assess- 
ment Division  to  perform  application  development  and  maintenance 
for  the  division. 

The  Systems  Development  Bureau  of  the  Research  and  Informa- 
tion Division  was  reorganized  into  three  units.  Income  Tax,  Liquor, 
and  Support  Services.  The  Liquor  and  Income  Tax  Units  are 
assigned  priorities  and  report  project  status  to  the  Liquor  and 
Income  Tax  Division  administrators.  The  Support  Services  Unit 
performs  application  development  and  maintenance  for  the  Central- 
ized Services  Division,  Research  and  Information  Division  and  the 
Legal  and  Enforcement  Division.  Priorities  for  the  Support  Ser- 
vices Unit  are  established  by  the  deputy  director  for  Support 
Services.      The  unit  reports   project  status  to  the  deputy  director. 

Following  is  an  organizational  chart  of  the  application  develop- 
ment function   within   the  Department  of  Revenue: 
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Direct  report  lines 


-  -  -  Indirect  reporting  (.information  only)  priorities  are  estab- 
lished through  this  line 

Liquor  information  management  system  project  leader  reports 
directly  to  the  Liquor  Division  administrator. 

2 
Indirect  reporting  to  Motor  Fuels,  Miscellaneous  Tax,  and  Corpora- 
tion and  Natural  Resource  Tax  Division  administrators. 

Source:   Prepared  by  the  Office  of  the  Legislative  Auditor. 

Documentation  indicates  the  reorganization  was  performed  to 
improve  communication  between  development  and  operating  division 
personnel,  and  to  provide  division  administrators  greater  control 
over  application  development. 

There  are  advantages  and  disadvantages  to  both  centralization 
and    decentralization    of   application    development.       In    general,    the 
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advantages  of  one  type  of  organization  are  disadvantages  of  tlie 
other.  The  chart  below  compares  the  advantages  and  disadvan- 
tages of  centriilized  and  decentralized  organizations. 

CENTRALIZED  ORGANIZATION 


Advantages 

A  larger  pool  of  development 
staff  is  available  allowing 
greater  flexibility  in  project 
staff. 

Maintenance  activities  can  be 
segregated  from  development 
activities  allowing  development 
staff  to  concentrate  on  develop- 
ment projects. 

Technical  expertise  is  central- 
ized, allowing  the  sharing  of 
specialized  skills. 

Centralization  facilities  coord- 
ination of  department-wide  proj- 
ects and  projects  which  cross 
division  lines. 


Disadvantages 

Conflicts  may  arise  relating 
to  priorities  for  develop- 
ment and  in  coordinating 
department-wide  systems. 

Development  staff  are  organ- 
izationally segregated  from 
users  which  may  restrict 
communications  and  limit 
understanding  of  user  needs. 


DECENTRALIZED  ORGANIZATION 


Advantages 

Development  staff  is  located 
within  the  operational  divi- 
sions providing  greater  famil- 
iarity with  user  division 
operations  and  needs. 

Division  management  directly 
contr<ils  application  develop- 
ment activities,  establishing 
priorities,  and  monitoring 
project  status. 


Disadvantages 

Smaller  pool  of  development 
staff  restricts  staffing 
flexibility. 

Division  priorities  for 
application  development  may 
not  be  consistent  with 
department-wide  priorities. 
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The  centralized  organization  of  system  development  activities 
was  in  place  for  less  than  three  months  prior  to  the  September 
1984  reorganization.  Based  on  our  review  we  believe  that  most  of 
the  problems  leading  to  reorganization  could  have  been  eliminated 
had   the  department  implemented  adequate  procedures   for: 

-  establishing  department-wide  priorities, 

-  controlling  development  projects,   and 

-  reporting   development  project  status. 

Since  the  decentralization  of  development  activities,  application 
development  has  been  limited.  At  the  time  of  our  audit,  insuffi- 
cient information  was  available  to  evaluate  the  adequacy  of  current 
application  development  organization. 


2H 


CHAPTER  VI 

DISASTER   PREPAREDNESS 

Disaster  recovery  procedures  provide  for  continuation  of 
operations  following  a  disaster  such  as  fire,  flood,  or  earthquake. 
We  examined  disaster  recovery  planning  and  disaster  backup  for 
Department  of  Revenue  systems. 

DISASTER   PLANNING 

The  Department  of  Revenue  currently  has  no  contingency  plan 
for  the  recovery  of  data  processing  applications  following  a 
disaster.  Because  no  plan  exists,  the  department  would  have  to 
develop  recovery  procedures  following  a  disaster.  Lack  of  a  plan 
could  cause  unnecessary  delay  and  excessive  costs  in  recovery  of 
critical  applications. 

The  department's  ability  to  recover  from  a  disaster  would 
depend  on  the  size  and  nature  of  the  disaster.  Destruction  of  the 
state's  central  computer  system  would  seriously  impair  the  ability 
to  process  data  such  as   Income  Tax  and  Withholding  Tax   returns. 

The  Department  of  Revenue  should  improve  disaster  prepared- 
ness for  data  processing  applications.  At  a  minimum,  the 
department  should: 

1.  Identify  critical  applications  that  would   require   recovery. 

2.  Develop    an    inventory    of    resources    required    to    recover 
the  critical  applications. 

3.  Ensure     that     adequate     program     and     data     file     backup 
exists  to  recover  critical  applications. 

4.  Begin   development  of   procedures   for   recovery   of  critical 
applications. 

RECOMMENDATION    #11 


WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE  DEVELOP  A 
DISASTER  RECOVERY  PLAN  FOR  CRITICAL  DATA  PROCESS- 
ING  APPLICATIONS. 
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DATA   FILE   BACKUP 

The  Department  of  Revenue  does  not  maintain  off-site  backup 
for  most  data  processing  systems.  Most  department  data  files  are 
located  at  the  Department  of  Administration,  Information  Services 
Division  (ISD),  computer  center.  Should  a  disaster  destroy  the 
ISD  computer  center.  Department  of  Revenue  data  files  might  also 
be  destroyed.  Off-site  backup  of  critical  data  files  is  essential  to 
reduce  the  chance  that  all  copies  of  a  data  file  are  destroyed. 

ISD  provides  backup  for  files  stored  on  magnetic  disk,  but 
discourages  agencies  from  relying  on  ISD  backup.  Since  files  from 
many  agencies  are  included  on  the  ISD  backup,  the  department 
would  have  a  difficult  time  taking  the  tapes  to  a  remote  location 
for  processing.  The  department  could  improve  current  backup 
procedures  by  requesting  ISD  to  move  copies  or  generations  of 
current  backup  tapes  to  an  off-site  vault. 

Off-site  backup  is  also  not  maintained  for  files  stored  on  the 
department's  two  IBM  System  8100  minicomputers.  Currently,  the 
only  backup  for  the  minicomputer  files  is  stored  in  the  Department 
of  Revenue  computer  room.  A  disaster  that  destroyed  the  files  in 
the  computer  room  would  likely  destroy  the  backup  files.  The 
department  could  improve  backup  for  the  minicomputer  files  by 
moving   backup  files  to  a   location  outside  of  the  Mitchell   Building. 

RECOMMENDATION   #12 

WE    RECOMMEND    THE    DEPARTMENT    OF    REVENUE    ARRANGE 

FOR     OFF-SITE     STORAGE     OF     DATA     PROCESSING     BACKUP 

FILES. 
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CHAPTER  VII 
OTHER    ISSUES 
MICROCOMPUTER   USAGE 

The  Department  of  Revenue  is  currently  using  microcomputers 
for  several  small  data  processing  systems.  Microcomputers  are 
used  for  timber  and  utility  appraisal  systems  and  for  recording 
bad  debt  receivables.  A  microcomputer  is  also  being  used  in  a 
test  project  to  communicate  with  electronic  cash  registers  and  to 
track   inventory  at  a   liquor  store. 

The  department  plans  to  use  microcomputers  in  the  Liquor 
Inventory  Management  and  Child  Support  Enforcement  systems 
currently   being   developed. 

We  examined  department  policies  relating  to  microcomputer 
usage.  In  our  examination,  we  identified  areas  where  current 
policy  should   be  clarified  or  new   policy   should   be  adopted. 

Microcomputer  Programming 

Department  of  Revenue  microcomputer  policy  states  that 
Research  and  information  Division  personnel  will  not  perform 
custom  programming  of  microcomputer  applications.  As  the  usage 
of  microcomputers  becomes  more  common,  programming  by  Research 
and  Information  Division  employees  may  be  appropriate.  Many 
software  packages  require  some  degree  of  customization  to  fit  the 
needs  of  the  user.  In  addition,  purchased  software  and  consultant- 
developed  software  may  require  modification  as  the  business  environ- 
ment changes. 

When  custom  programming  of  microcomputers  appears  desir- 
able, the  department  should  evaluate  the  various  alternatives.  If 
the  application  programming  staff  has  the  necessary  expertise,  it 
may  be  cost  beneficial  to  perform  the  programming  in-house  rather 
than   hire  an  outside  consultant. 

The  Research  and  information  Division  Systems  Development 
Bureau  is  currently  developing  systems  using  microcomputers  as 
workstations.  Research  and  Information  Division  employees  have 
performed    some    programming    on    these    systems.       In    the    future. 
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additional    programming    may    be    necessary    to    complete    these    and 
similar  projects. 

The  Department  of  Revenue  should  modify  microcomputer 
policy  to  allow  Research  and  Information  Programming  of  microcom- 
puter applications  when   in-house  programming   is  cost  beneficial. 

RECOMMENDATION   #13 

WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE,  WHEN 
COST  BENEFICIAL,  ALLOW  RESEARCH  AND  INFORMATION 
DIVISION  PROGRAMMING  OF  MICROCOMPUTER  APPLICA- 
TIONS. 


Authorized   Use  of  Microcomputers 

Department  of  Revenue  policy  on  microcomputers  does  not 
address  the  authorized  use  of  microcomputers.  Many  organizations 
encourage  non-work-reiated  use  of  microcomputers  for  training 
purposes.  Employees  may  wish  to  use  microcomputer  equipment 
during  non-working  hours  for  word  processing,  home  budgets, 
etc.  We  recognize  there  is  some  training  benefit  of  non-business 
usage;  however,  such  usage  could  lead  to  unauthorized  use  of 
microcomputer  equipment.  In  addition,  a  potential  liability  may 
exist  if  employees  copy  or  use  computer  software  in  violation  of 
licensing  agreements. 

To  discourage  inappropriate  use  of  microcomputer  equipment, 
the  Department  of  Revenue  should  establish  a  policy  on  authorized 
use  of  microcomputer  equipment. 

RECOMMENDATION   #1U 

WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE  ADOPT  A 
POLICY  ON  AUTHORIZED  USE  OF  MICROCOMPUTER  EQUIP- 
MENT. 
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Microcomputer  Security 

Current  microcomputer  policies  do  not  address  the  need  for 
security  over  information  stored  on  microcomputers.  As  microcom- 
puter usage  increases,  certain  confidential  or  sensitive  information 
may  be  stored  either  temporarily  or  permanently  on  microcomputers. 
In  most  cases,  anyone  having  access  to  a  microcomputer  will  have 
access  to  the  data.  When  confidential  or  sensitive  information  is 
stored  on  microcomputers,  the  responsibility  for  the  security  of 
that  information  should  be  clearly  defined.  In  addition,  steps 
should  be  taken  to  restrict  access  to  confidential  or  sensitive 
information. 

RECOMMENDATION    #15 

WE  RECOMMEND  THE  DEPARTMENT  OF  REVENUE  ADOPT  A 
POLICY  ON  SECURITY  OF  INFORMATION  STORED  ON  MICRO- 
COMPUTERS. 


MINICOMPUTER   USAGE 

The  Department  of  Revenue  owns  two  IBM  System  8100  mini- 
computers. An  IBM  Model  8140  is  used  primarily  for  word  pro- 
cessing (typing)  applications.  An  IBM  Model  8130  is  used  for  data 
processing  applications. 

During  our  preliminary  survey,  we  reviewed  the  reasonable- 
ness of  the  use  of  the  IBM  8140  for  word  processing.  Based  on 
our  review,  we  determined  that  shared  word  processing  using  the 
IBM  8140  was  reasonable  for  an  organization  the  size  of  the  Depart- 
ment of  Revenue. 

The  IBM  8130,  used  for  data  processing  activities,  is  de- 
signed for  standalone  or  distributed  data  processing.  Standalone 
processing  is  where  an  application  is  processed  using  only  the  8130 
processor.  Distributed  processing  is  where  the  data  is  partially 
processed  on  the  8130  processor,  then  additional  processing  is 
performed  on  a  central  or  host  computer.  An  example  of  dis- 
tributed  processing   would   be   where   transactions   were   entered    into 
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the  8130  processor,  edited  for  validity  and  summarized  on  the 
8130.  The  summarized  transactions  could  then  be  communicated  to 
a  central   "host"  computer  to  update  a  master  file. 

Currently  the  department's  8130  minicomputer  is  used  for 
terminal  communication  with  the  state's  central  computer,  sub- 
mission of  data  processing  jobs  to  the  state's  central  computer  for 
processing,  and  printing  data  processing  reports.  No  standalone 
or  distributed   processing   is  performed  on   the  minicomputer. 

In  August  198U  the  Department  of  Revenue  requested  the 
Department  of  Administration,  Information  Services  Division,  and 
IBM  to  participate  in  a  review  of  the  System  8130  usage.  The 
review  resulted  in  a  report  identifying  several  alternatives  for  use 
of  the  8130  processor,  as  well  as  alternatives  for  replacement  of 
the  8130. 

We  evaluated  alternatives  identified  in  the  report  and  deter- 
mined that  currently,  it  is  cost  beneficial  for  the  department  to 
continue  the  use  of  the  8130  as   it  is  presently  used. 
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AGENCY    RESPONSE 


DEPARTMENT  OF  REVENUE 


TED  SCHWINDEN,  GOVERNOR 


MITCHELL  BUILDING 


STATE  OF  MONTANA' 


January  18,  1985 


RFnriVFD 

JAN  J  8 '3:5 

MONTANA  LEGISUTIVE  AUDITOR 


HELENA,  MONTANA  S9620 


Mr.  Robert  R.  Ringwood 
Legislative  Auditor 
State  Capitol 
Helena,  Montana   59620 

Dear  Mr.  Ringwood: 

I  have  enclosed  a  copy  of  this  Department's  responses  to  your 
audit  recommendations  of  our  data  processing  activities. 

You  will  find  that  we  concur  with  the  majority  of  your  recommen- 
dations. There  are  a  few  which  we  agree  with  in  principle  but 
the  implementation  of  which  will  be  subject  to  budgetary  and 
manpower  constraints.  It  is  my  duty  to  set  priorities  within 
those  constraints  and  you  may  be  assured  that  the  latter  recom- 
mendations will  be  evaluated  within  the  context  of  those  priori- 
ties . 

I  wish  to  commend  your  staff  for  the  professional  manner  in  which 
they  carried  out  their  work  and  the  courteous  treatment  afforded 
Department  employees. 

Sincerely, 


LaFaver 


JDL/JMC/dh 
Attachment 
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Department  of  Pevenue 
Response  to  EDP  Audit 

Peconnnendation  11:  We  recommend  the  Department  of  Revenue  limit 
access  to  data  files  and  programs  to  only  those  users  requiring 
access  to  perform  their  duties. 

Response:  VJe  concur.  We  have  undertaken  a  project  which  will 
identify  all  data  owners.  When  we  have  completed  this  work  (pro- 
jected date  March  31,  1985),  we  will  be  in  a  position  to  imple- 
ment more  stringent  controls.  We  currently  plan  to  complete  this 
task  by  June  30,  1985. 

Reconnnendation  #2:   We  recominend  the  Department  of  Revenue: 

A.  Establish   a  policy  preventing  the  use  of  easily  guessed 
passwords. 

B.  Periodically  test  for  easily  guessed  passwords. 

Response:  We  concur.  We  have  eliminated  all  such  passwords  and 
will  incorporate  guidelines  regarding  passwords  and  periodic 
testing  in  our  data  security  policy.  (See  response  to  Recommen- 
dation #4)  . 

Recommendation  #3:  We  recommend  the  Department  of  Pevenue  dis- 
continue use  of  shared  logon  id's. 

Response:  We  concur.  All  shared  logon  id's  were  eliminated  in 
mid-Novem±ier  1984. 

Recommendation  #4:  We  recommend  the  Department  of  Revenue  estab- 
lish formal  policy  defining  the  responsibilities  for  data  pro- 
cessing security. 

Response:  We  concur.  We  currently  plan  to  have  a  draft  policy 
circulated  for  comment  by  March  31,  1985  with  implementation 
scheduled  for  June  30,  1985. 

Recommendation  #5:  We  recomm^end  that  the  Departmtmt  of  Revenue 
establish  a  post-implementation  review  of  the  application  devel- 
opm.ent  process. 

Response:  We  concur  in  principle.  We  have  not  devoted  the 
resources  to  this  sort  of  activity  because  other  development  and 
maintenance  work  was  given  a  higher  priority.  We  are  in  the 
process  of  reviewing  our  data  processing  function  and  v/ill  re- 
evaluate our  former  position  on  a  post-implementation  reviev; 
process . 
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Reconunendation  #6:  We  recoininend  the  Department  of  Revenue  adopt 
formal  procedures  for  documentation  and  testing  of  maintenance 
projects . 

Response:  We  concur.  We  will  have  forma]  written  procedures  in 
place  by  June  30,  1995. 

Recommendation  #7:   We  recommend  the  Department  of  Revenue: 

A.  Document  the  reason  for  deviations  from  written  applica- 
tion development  procedures. 

R.  Define  the  procedures  to  be  followed  when  deviation  from 
written  development  procedures  is  desirable. 

Response : 

A.  We  concur  and  will  strive  to  provide  adequate  documenta- 
tion for  all  deviations  from  written  development  proce- 
dures. 

B.  We  concur  and  wil]  provide  guidelines  governing  devia- 
tions from  written  development  procedures. 

Recommendation  #8:   We  recommend  the  Department  of  Revenue: 

A.  Include  all  costs  and  benefits  in  cost/benefit  analyses. 

B.  Use  present  value  techniques  to  convert  net  costs  or 
benefits  into  present  dollar  values. 

Response : 

A.    We    concur    and   will   include   all   costs   in   future 

cost/benefit  analyses. 
P.    We  concur  and   will   use   present   value   techniques   in 

future  cost/benefit  analyses. 

Recommendation  #9:   We  recommend  the  Department  of  Revenue: 

A.    Complete   application   documentation   as   the   system  is 

being  developed. 
P.    Ensure  documentation  is  complete  before  applications  are 

implemented . 

Response:  We  concur.  We  will  continue  our  efforts  to  resolve 
our  documentation  problems. 
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Recommendation  #10:  We  reconunend  the  Department  of  Revenue 
include  in  period  status  reports: 

T^ .        The  overall  status  of  projects;  and 

P.    The   status  of  projects  pending  development  and  projects 
for  which  development  has  been  temporarily  stopped. 

Response:  We  concur.  We  will  be  making  changes  in  our  status 
reports  as  a  result  of  our  study  of  our  data  processing  function 
and  v;ill  incorporate  these  recommendations  in  our  revised  report- 
ing process. 

Pecommendation  #11:  We  recommend  the  Department  of  Revenue 
develop  a  disaster  recovery  plan  for  critical  data  processing 
applications. 

Response:  We  concur  in  part.  We  will  develop  a  disaster  plan 
covering  our  operation.  Obviously  most  of  ovir  applications  are 
run  on  the  central  computer  and,  thus,  subject  to  the  priorities 
set  in  a  master  plan  for  the  Department  of  Administration  opera- 
tion. 

Recommendation  #12:  We  recommend  the  De^partment  of  Revenue 
arrange  for  off-site  storage  of  data  processing  back-up  files. 

Response:  Vic  concur.  We  have  begun  the  task  of  identifying 
which  data  files  should  be  backed  up  off-site  and  will  have  nec- 
essary procedures  developed  and  implemented  by  June  30,  1985. 

Recommendation  #13:  We  recommend  the  Department  of  Revenue,  when 
cost  beneficial,  allow  Research  and  Information  Division  program- 
ming of  microcomputer  applications. 

Response:  We  concur.  We  will  rewrite  our  microcom.puter  policy 
to  permit  this  activity  when  it  is  cost  beneficial  and  fits  with- 
in the  development  priorities  of  the  Department. 

Recommendation  #14:  We  recommend  the  Department  of  Revenue  adopt 
a  policy  on  authorized  use  of  microcomputer  equipment. 

Response:  We  concur  and  have  added  relevant  sections  to  our 
microcomputer  policy. 

Recommendation  #15:  We  recommend  the  Department  of  Revenue  adopt 
a  policy  on  security  of  information  stored  on  microcomputers. 

Response:  We  concur  and  have  added  relevant  sections  to  our 
microcomputer  policy. 
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